ClawHub

M365 Mailbox (Graph)

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Microsoft 365 mailbox automation skill, but it needs review because draft creation can modify a mailbox without enforcing the confirmation policy that setup says is required.

Install only if you are comfortable granting Microsoft Graph mailbox access. Prefer minimal consent, avoid offline_access unless needed, and do not enable draft/send unless you want the agent to modify mailbox contents. Be aware that draft creation may happen without the confirmation safeguard implied by setup, and protect or delete the local token cache when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
When `consent === 'broad'`, the script requests `Mail.Read`, `Mail.ReadWrite`, and `Mail.Send` regardless of the narrower `allow`/`baseScopes` selected by the user. This creates a privilege mismatch: a profile that appears limited in policy can still obtain tokens capable of reading, modifying, and sending mail if the downstream code uses the granted token directly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This script creates Outlook drafts through Microsoft Graph with the broad Mail.ReadWrite scope and directly embeds user-supplied recipient, subject, and body content. Even though it only creates a draft and not a sent message, it still writes to a mailbox and can be abused for deceptive content staging, data manipulation, or preparing unauthorized messages without any in-file confirmation, disclosure, or additional validation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The token cache is serialized and written to disk, and the profile configuration is also persisted, but the user is not clearly warned that local credential material will be stored. On a shared or improperly secured system, another local user or process could access these files and reuse tokens or sensitive configuration to access the mailbox.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script can request broad Microsoft Graph mailbox scopes without a strong user-facing warning about the privacy and integrity impact. In an email-handling skill, these scopes enable access to message contents and the ability to modify or send mail, so understated consent language materially increases the risk of over-privileged authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal